On 4 June 2021 the European Commission published new Standard Contractual Clauses, EU SCCs, set contract wording to safeguard personal data being exported to a third country, by a party which is subject to the EU GDPR. One key development is that the new EU SCCs now account for processor-to-processor and processor-to-controller transfers, as opposed to just controller-to-controller or controller-to-processor.
From 27 June 2021, organisations subject to the EU GDPR could begin using the new EU SCCs. From 27 September 2021 only the updated EU SCCs could be used for new arrangements and the previous set could no longer be signed. Organisations now have until 27 December 2022 to transition all existing arrangements from the previous version of the EU SCCs onto the new version.
Meanwhile in the UK, in August 2021 the ICO published a draft International Data Transfer Agreement, IDTA, for consultation, a final form of which is expected to be published in early 2022. The IDTA will operate as an appropriate safeguard for transfers of personal data, where the UK GDPR applies to the personal data being transferred.
The ICO also published:
Once the final IDTA and UK Addendum are published the ICO will confirm the applicable grace periods for implementing the updated safeguards.
At the moment we anticipate that organisations will have:
It is important that businesses assess their international data flows to identify where action is required.
If you have any questions regarding international data transfers, please contact our Data Protection team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
